topic Re: Regex Look back two characters in Splunk Search

Regex Look back two characters

hartfoml — Wed, 28 Aug 2013 16:41:49 GMT

I am looking for the group name from the phonehome command.

I tried the auto extractor and it was only marginally helpful.

Here is the line to read:
POST /services/broker/phonehome/connection_xxx.xxx.xxx.xxx_xxxx_mysystem.com_mysystem_aa HTTP/1.0

The piece i am trying to find is the group name "aa" at the end of the string just before the \sHTTP/

I don't know how to right a regex to look back from the HTTP to find the two group letters. (always only two letters)

Any help would be great

wpreston — Wed, 28 Aug 2013 20:19:16 GMT

If it is always only two letters, and they are always lowercase, the following should work:

(?<GroupName>[a-z]{2})\sHTTP

You can add A-Z inside the [] if they could be uppercase letters. If you want to try this extraction in Splunk, try:

...your search... | rex "(?<GroupName>[a-z]{2})\sHTTP"

hartfoml — Wed, 28 Aug 2013 20:55:07 GMT

Thanks for the help.

If you don't mind can you please help with the regex to extract the "mysystem" name just before the _aa

wpreston — Thu, 29 Aug 2013 01:05:20 GMT

Sure, not a problem. Using the sample event, this regex should work to extract both fields:

\_(?<SystemName>[^\_]+)\_(?<GroupName>[a-z]{2})\sHTTP

hartfoml — Thu, 29 Aug 2013 13:48:36 GMT

this is great thanks